Hey Developer, Give me your API keys.!!

This is just another friendly article, without any secret “Ninja” techniques..!!

Credits : thanks to security team of Infoziant Labs for consistent support..!

DISCLAIMER : In this blog post I am not gonna talk about any advance stuff ,neither any secret techniques, this blog is all about , how developers sometimes make silly mistakes..(after all developers are human too :P )!!

Now, some of you might say , :

Okay, okay . Hold on ..!! and read the full article..!!

Every year we notice data breaches,hacks,ransomware attacks on big IT giants , In most of the hacks , the reasons are Server side system vulnerabilties,Client side flaws of the application, and social engineering too..!!

img src Feedyeti.com

But there are few cases in which the reasons of these kind of attacks are just some silly mistakes made by developers, Like : leaving their secret API keys,AWS secret Keys,Mysql credentials,their slack channel’s credentials in their public respositories,

even am not an expert though

Later on in this post I will show you one of my recent findings , which illustrates how I found a secret api key of Crowdin’s test project , and succesfully pwned their test project. [The issue is Fixed now]

What worse can be done..!

In the past I had seen some cases, where developers left hardcoded credentials in android application of their company , which later gave me access to their admin dashboard,

credits to the creator of this meme :p

Some developers encode the api keys using Base64, and think the attacker will not be able to find the API keys, I mean are they serious, Base64 encoding is not the solution to these issues, Base64 encoded API keys can easily be decoded..!!

“Crowdin is a localization management platform designed to automate localization within agile software development. With more than 1,000, 000 user accounts, platform is used by development companies in 140 countries”.